The SignServer team is pleased to announce the release of SignServer 5.9. This release adds support to optionally use a Keyfactor branded web interface. The support for Android signing in cloud deployments has also been improved. SignServer 5.9 uses upgraded versions of the Log4j and OpenPDF libraries.
Included in this release are also the changes made in SignServer 5.8.2, which was only released internally.
Keyfactor branded Web Interface
Meet the new face of SignServer! SignServer 5.9 includes a new web theme as SignServer is part of the Keyfactor product portfolio. The functionality offered by the web interface in previous versions is still available and the default web theme still uses PrimeKey colors. When upgrading to SignServer 5.9 from a previous version, you can select whether to enable the new theme or not.
Android Signing Improvements for Cloud Deployments
Based on an improvement in SignServer APK signers it is now possible to store signing certificates in the signer rather than in the crypto token. This option is particularly valuable in deployments where the used crypto token does not support storing certificates which is the case for example in AWS CloudHSM. To store the signing certificate in the worker configuration, disable the Install in Token option, see Workers Install Certificates Page for more information.
As has been stated before, SignServer was never vulnerable to CVE-2021-44228 nor the subsequent findings due to the fact that SignServer handles logging through JBoss EAP/WildFly, merely facilitated by the Log4j API. Log4j version 1 has been included in the source mainly as a building block and not used in the main deployment, and is only ever directly referenced from the CLI, but will hence still trip automatic vulnerability scanners. As we understand that some of our customers need to comply with auditors and other regulatory authorities, we have decided to accelerate the planned upgrade of Log4j to the latest release in order to dissolve any questions about SignServer being vulnerable.
Change Log: Resolved Issues
For full details of fixed bugs and implemented features in SignServer 5.9.0, refer to our JIRA Issue Tracker.
DSS-2405 - Support for JBoss EAP 7.4
DSS-2438 - Support for switching web theme
DSS-1498 - Support in PlainSigner for client-side hashing with PKCS1 v1.5 with encoding on server-side
DSS-2192 - Use the new worker properties bulk editing method in system tests
DSS-2352 - Support in APK signers for certificate in config instead of import it into the token
DSS-2390 - Upgrade JackNJI11 to a version with upstreams and our changes - 1.2-pk2
DSS-2415 - Support DER-reencode also for client-side hashing mode in CMSSigner
DSS-2423 - MasterListSigner support for files larger than 1 MB
DSS-2425 - Add support for signing a protected PDF without supplying owner password
DSS-2426 - Upgrade/migrate to OpenPDF in PDFSigner
DSS-2435 - Documentation note regarding SoftHSM2 and key wrapping mechnisms
DSS-2436 - Do not fail for directories and clarify in documentation that -indir does not go into directories
DSS-2437 - Remove custom security manager used in some junit tests
DSS-2439 - Improve the test coverage for P11NG
DSS-2442 - Initialize signing closer to the actual signing in PDFSigner
DSS-2443 - Update copyright year for 2022
DSS-2444 - Upgrade JackNJI11 to 1.2-pk3
DSS-1985 - UsernamePasswordAuthorizer uses platform encoding
DSS-2440 - Failing or aborting in the middle of a multi-part signing can lead to CKR_OPERATION_ACTIVE errors when that session is later being reused
DSS-2334 - System tests using already configured Peers connection
DSS-2403 - Update documentation for WildFly 24
DSS-2424 - Upgrade log4j library
DSS-2206 - CESeCore Merge: Configure full Azure Key Vault Name which would include the DNS FQDN
DSS-2418 - Upgrade JackNJI11 to include "Keep memory in template" fix
DSS-2427 - Unduplicate P11NG CLI code both in P11NG-Common and P11NG-CLI
DSS-2431 - Upgrade SLF4J
DSS-1773 - P11NG CLI - 'oneTimePerformanceTest' action with ShortLived RSA key causes process crash
DSS-2409 - Apache HttpClient not deployed with signserver.ear unless peers module included
DSS-2411 - Public key objects not removed with P11NG removeKey method
DSS-2413 - Key objects created when generating a wrapped key not explicitly removed
DSS-2414 - Unwrapped key not released properly after generating CSR
DSS-2416 - Unit test signature verification not checked properly in CMSSignerUnitTest